Navigation

BT Home Flub: Pwnin the BT Home Hub

published: October 8th, 2007

OK, let me get to the point. The BT Home Hub, which is probably the most popular home router in the UK, is susceptible to critical vulnerabilities.

BT’s plan is to sneak one of these boxes into every UK home. Not only does the BT Home Hub support broadband but also VoIP (BT Broadband Talk), UMA mobile telephony (BT Fusion), and digital TV (BT Vision). Additionally BT will give users the option to use their BT Home Hub to join FON, a community-shared Wi-Fi. An unofficial source has reported us that there are 2+ million BT Home Hub users in the UK.

If you’re thinking: well I’m not based in the UK so this research doesn’t concern me, then think again! The BT Home Hub is just a Thomson/Alcatel Speedtouch 7G router. Furthermore, the vulnerabilities we found are most likely present in other Speedtouch models due to code reuse (more on that later).

So what can we do? Well, we can fully own the router remotely. At the moment we have three demo exploits which do the following:

enable backdoor in order to control the router remotely

disable wireless completely (can only be re-enabled if the user is technically capable)

steal the WEP/WPA key

Of course there other other attacks you could launch! We can hijack any action with full admin privileges or steal any info returned by a router’s page. This means evilness of the exploits are only limited by the attacker’s imagination. Other examples of evil attacks include evesdropping VoIP conversations (change ‘sip config primproxyaddr’ statement in config file), stealing VoIP credentials, exposing internal hosts on the DMZ, change the DNS settings for stealing online banking credentials, disable auto updates (change cwmp.ini section in config file), etc …

The only requirement for the router to be owned is that a victim user visits a (malicious) website. The good news is that our exploits do NOT require knowledge of the admin password! How can that be? Well, we rely on a authentication bypass bug we discovered!

Even though I’ve been the owner of a BT Home Hub for quite a while, I never bothered to try to find vulnerabilities in it. However, on the last dc4420 meeting, after I gave a talk on breaking into Axis cameras, some of the guys there inspired me to research the BT Home Hub. After poking with it for a while, pdp and I couldn’t believe how vulnerable the web interface of the device was! I remember pdp sarcastically saying: wow, it’s really locked down man!, We discovered issues such as:

authentication bypass (any admin action can be made without username/password!)

system-wide CSRF

several persistent XSS

several non-persistent XSS

privilege escalation

We’re now in the process of contacting BT and Thomson. However, I don’t have high hopes for BT. Last year, I found a way to dump the BT Voyager 2091′s config file without credentials. Even though I forwarded them my findings they never responded at all.

Enjoy the demo video which was kindly prepared by pdp. We misspelled some words on the chat conversation, so please forgive us! In the video, the attacker social-engineers the victim to visit a malicious website. The malicious website in turn enables remote assistance on the victim’s router with a password chosen by the attacker. After that, the attacker gains full privileges to the router remotely, and steals the config file and WEP key.

Nice work. A configuration interface that’s not web-based at all, like on my Apple Airport Extreme router might be a good idea after all.

The web and telnet interface on the Thomson router I’ve used was better designed and had more features than those I’ve seen on Belkin and Netgear devices, but obviously they have some work to do towards making it secure.

What’s the point of the post other then to promote yourself? Users of this modem have no work around let alone patch.

“However, I don’t have high hopes for BT” Obviously you didn’t learn from your previous experience. If you releas code they’ll fix it. By making your… annoucement you’ve given enough direction for people with malicious intent to find what you have. But you know all this.

to get “root privileges” then under [ mlpuser.ini ] and delete “defremadmin=enabled” or better yet:
just delete the tech user completely. You could also change the RAS port under [ system_raccess.ini ] although you wouldn’t gain much.

I know there are supposed to be some malicious sites that have cross-scripting to perform attacks on machines/routers. Does anyone have a list of these as I’d like to put some additional rules into my firewalls to prevent access to these sites?

The CSRF, XSS and double-slash auth bypass are still there on version 6.2.6.B.

For instance, although version 6.2.6.B has now password-protected the page that shows the WEP/WPA, it’s still possible to access it *without* authenticating by ending the URL with 2 slashes:http://192.168.1.254/cgi/b/_wli_/seccfg//

Try it on your Home Hub. It should work. This means that people can still steal your WEP/WPA key by scraping the previous URL through one of the many XSS vulns still present on version 6.2.6.B.